OpenVPN (tap) and Static IPs



  • Hi!
    I've configured an OpenVPN server (tap) and it's working flawlessly except one thing; I cannot assign IPs to each vpn user.
    What I do:

    • Create a new user and a certificate (user vpn)

    • Put "vpn" on the CN field

    • Save and go to VPN -> OpenVPN -> Client Specific Overrides -> Add

    • I select the only VPN on the list, put "vpn" in the Common Name field and "ifconfig-push 10.0.5.77 255.255.0.0;" in the advanced options and Save

    • Export the config for a Windows client and installing it on a PC which is connected using a tethered connection through my mobile  (so it's outside the office' network)

    • Login using "vpn" and the pass

    • Get another IP from the DHCP service (10.0.6.40 in this case) :(

    The server has a 10.0.0.0/16 network configured.

    I changed the "ifconfig-push 10.0.5.77 255.255.0.0;" to "ifconfig-push 10.0.5.77 10.0.0.1;" but still won't work. I'm using pfsense 2.3.1-RELEASE-p5.

    Thanks a lot!



  • bump!


  • Rebel Alliance Developer Netgate

    One of four things is happening:

    1. The CN isn't matching (check the server log to see what it shows as connecting)
    2. The client is rejecting the ifconfig syntax (check the client log)
    3. The client is ignoring the ifconfig-push (client log may say why)
    4. You have one of the weird edge case configs that might need a manual "mode server;" in the advanced options

    Don't manually enter ifconfig-push. Use the tunnel netwok box instead and let the firewall figure out the syntax. For tap mode, it would be 10.0.5.77/16 in your case.

    And /16 is just insane to use for a VPN tunnel network. Why?



  • @jimp:

    One of four things is happening:

    1. The CN isn't matching (check the server log to see what it shows as connecting)
    2. The client is rejecting the ifconfig syntax (check the client log)
    3. The client is ignoring the ifconfig-push (client log may say why)
    4. You have one of the weird edge case configs that might need a manual "mode server;" in the advanced options

    Don't manually enter ifconfig-push. Use the tunnel netwok box instead and let the firewall figure out the syntax. For tap mode, it would be 10.0.5.77/16 in your case.

    And /16 is just insane to use for a VPN tunnel network. Why?

    The /16 is for the entire network, VPN will use only the 10.0.5.1 to 10.0.5.254.  :D

    I'll check the logs, thanks!


  • Rebel Alliance Developer Netgate

    Then the VPN tunnel network should only be 10.0.5.0/24 and the static addresses would also be set as 10.0.5.x/24

    The /16 wouldn't come into play except perhaps as a "Local Network" on the OpenVPN server settings so they get a route pushed.



  • I am using the subnet feature (pfSense) trying to migrate from the net30 architecture.  Some of my clients are 2.1.5 the rest are 2.3.2.

    have infconfig-push configured properly in the server's client spec override.

    I believe I have configured this correct because routing seems to work.  However, I cannot find the client tunnel-end address I assigned to any of my clients in their routing tables ovpn or freebsd.  Ifconfig yields only 172.16.64.0 –----> 17216.64.1 (the server) on the relevant interface.  Ovpn status routes shows only 172.16.64.0 for the virtual interface.

    Is this correct?


Log in to reply